[IS&T Security-FYI] SFYI Newsletter, December 19, 2011

Monique Yeaton myeaton at MIT.EDU
Mon Dec 19 16:01:20 EST 2011 

A bunch of updates and patches in this week's issue:


1. Adobe Updates Multiple Vulnerabilities

2. IE to Release Silent Updates Next Year

3. Google Chrome Update Addresses Vulnerabilities, Adds Privacy

4. Microsoft Patches Duqu Flaw on Patch Tuesday



----------------------------------------------------

1. Adobe Updates Multiple Vulnerabilities

----------------------------------------------------


Last week Adobe released Security Bulletin APSB11-30<http://www.adobe.com/support/security/bulletins/apsb11-30.html>, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. An attacker could exploit these vulnerabilities by convincing a user to open a specifically crafted PDF file. Adobe Reader, a browser plug-in for opening PDF documents hosted on a website, is available for multiple web browsers and operating systems.


Systems affected:


  *   Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  *   Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
  *   Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  *   Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh


Risk to Macintosh and UNIX users is significantly lower than for Windows users. Windows users should update to Adobe Reader 9.4.7 and Adobe Acrobat 9.4.7.


The latest version of these products can be downloaded from the Adobe site here<http://www.adobe.com/support/downloads/new.jsp>.


Note: Adobe Reader for Android and Adobe Flash Player are not affected by these issues.


Adobe plans to address the vulnerabilities in Reader X and Acrobat X as well as the vulnerabilities in the Macintosh and UNIX versions of Reader and Acrobat in the next quarterly security update, scheduled for January 10, 2012. Background on the release schedule for these patches is posted here<http://blogs.adobe.com/asset/2011/12/background-on-cve-2011-2462.html>.



-----------------------------------------------------

2. IE to Release Silent Updates Next Year

-----------------------------------------------------


Starting in January 2012, Microsoft will begin pushing silent updates for Internet Explorer (IE). The change is being made to help keep the Internet safer by not relying on users to install necessary security updates. Google's Chrome browser has updated in the background without user interaction since it was introduced in 2008.


The program will first be introduced in Australia and Brazil. The updater will push the most recent version of IE that runs on users' current operating systems. While Microsoft will not ask permission to upgrade to the next version of the browser, users will be able to choose to turn upgrades off. Additionally, IE upgrades will not be forced on users who have previously declined to upgrade to newer versions of the browser.


Mozilla plans to start background updates for Firefox starting with Firefox 12, which is scheduled to debut on April 24, 2012.


Read the full story in the news.<http://www.computerworld.com/s/article/9222690/Microsoft_gets_silent_upgrade_religion_will_push_IE_auto_updates>



------------------------------------------------------------------------------------

3. Google Chrome Update Addresses Vulnerabilities, Adds Privacy

------------------------------------------------------------------------------------


Last week Google updated its Chrome browser to version 16, patching fifteen security flaws in the process. Google paid a total of US $6,000 to researchers who alerted them to seven of the patched bugs. One of the new features made available in Chrome 16 allows multiple users on the same computer to keep their personal data, including bookmarks, separate and private from one another's. It allows separate identities without having to log out of the OS.


Read the full story in the news.<http://download.cnet.com/8301-2007_4-57342468-12/chrome-gets-multiple-user-support/>



----------------------------------------------------------------

4. Microsoft Patches Duqu Flaw on Patch Tuesday

----------------------------------------------------------------


On Patch Tuesday, December 13, Microsoft issued 13 security bulletins to address a total of 19 vulnerabilities.


The bulletins addressed flaws in Windows, Internet Explorer, Office and Windows Media Player. One patch was pulled because of incompatibility issues with third-party vendor SAP. Microsoft did patch the vulnerability exploited by the Duqu intelligence-gathering Trojan. The flaw had been subject of an advisory released by Microsoft last November. This update was rated critical.


Read the full story in the news.<http://www.computerworld.com/s/article/9222639/Microsoft_scratches_BEAST_patch_at_last_minute_but_fixes_Duqu_bug>



===================================================================================

Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.

===================================================================================


Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20111219/a56697b5/attachment.htm

More information about the ist-security-fyi mailing list